{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T04:36:50Z","timestamp":1769920610518,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":98,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,10,30]],"date-time":"2020-10-30T00:00:00Z","timestamp":1604016000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,10,30]]},"DOI":"10.1145\/3372297.3417869","type":"proceedings-article","created":{"date-parts":[[2021,3,4]],"date-time":"2021-03-04T16:22:09Z","timestamp":1614874929000},"page":"1953-1970","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":42,"title":["The Cookie Hunter: Automated Black-box Auditing for Web Authentication and Authorization Flaws"],"prefix":"10.1145","author":[{"given":"Kostas","family":"Drakonakis","sequence":"first","affiliation":[{"name":"FORTH ICS, Heraklion, Greece"}]},{"given":"Sotiris","family":"Ioannidis","sequence":"additional","affiliation":[{"name":"Technical University of Crete, Chania, Greece"}]},{"given":"Jason","family":"Polakis","sequence":"additional","affiliation":[{"name":"University of Illinois at Chicago, Chicago, IL, USA"}]}],"member":"320","published-online":{"date-parts":[[2020,11,2]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"2017. Open Web Application Security Project - The OWASP Top 10. https:\/\/www.cloudflare.com\/learning\/security\/threats\/owasp-top-10\/.  2017. Open Web Application Security Project - The OWASP Top 10. https:\/\/www.cloudflare.com\/learning\/security\/threats\/owasp-top-10\/."},{"key":"e_1_3_2_2_2_1","unstructured":"2018. Dashlane - World Password Day: How to Improve Your Passwords. https:\/\/blog.dashlane.com\/world-password-day\/.  2018. Dashlane - World Password Day: How to Improve Your Passwords. https:\/\/blog.dashlane.com\/world-password-day\/."},{"key":"e_1_3_2_2_3_1","unstructured":"2018. Four cents to deanonymize: Companies reverse hashed email addresses. https:\/\/freedom-to-tinker.com\/2018\/04\/09\/four-cents-to-deanonymize-companies-reverse-hashed-email-addresses\/.  2018. Four cents to deanonymize: Companies reverse hashed email addresses. https:\/\/freedom-to-tinker.com\/2018\/04\/09\/four-cents-to-deanonymize-companies-reverse-hashed-email-addresses\/."},{"key":"e_1_3_2_2_4_1","unstructured":"2018. WIRED - a new Google+ blunder exposed data from 52.5 million users. https:\/\/www.wired.com\/story\/google-plus-bug-52-million-users-data-exposed\/.  2018. WIRED - a new Google+ blunder exposed data from 52.5 million users. https:\/\/www.wired.com\/story\/google-plus-bug-52-million-users-data-exposed\/."},{"key":"e_1_3_2_2_5_1","unstructured":"2018. WIRED - the Facebook hack exposes an Internet-wide failure. https:\/\/www.wired.com\/story\/facebook-hack-single-sign-on-data-exposed\/.  2018. WIRED - the Facebook hack exposes an Internet-wide failure. https:\/\/www.wired.com\/story\/facebook-hack-single-sign-on-data-exposed\/."},{"key":"e_1_3_2_2_6_1","unstructured":"2019. Ars Technica - DHS: Multiple US gov domains hit in serious DNS hijackingwave. https:\/\/arstechnica.com\/information-technology\/2019\/01\/multiple-us-gov-domains-hit-in-serious-dns-hijacking-wave-dhs-warns\/.  2019. Ars Technica - DHS: Multiple US gov domains hit in serious DNS hijackingwave. https:\/\/arstechnica.com\/information-technology\/2019\/01\/multiple-us-gov-domains-hit-in-serious-dns-hijacking-wave-dhs-warns\/."},{"key":"e_1_3_2_2_7_1","unstructured":"2019. Cisco Talos - DNS Hijacking Abuses Trust In Core Internet Service. https:\/\/blog.talosintelligence.com\/2019\/04\/seaturtle.html.  2019. Cisco Talos - DNS Hijacking Abuses Trust In Core Internet Service. https:\/\/blog.talosintelligence.com\/2019\/04\/seaturtle.html."},{"key":"e_1_3_2_2_8_1","unstructured":"2019. Email addresses harvester. https:\/\/github.com\/maldevel\/EmailHarvester.  2019. Email addresses harvester. https:\/\/github.com\/maldevel\/EmailHarvester."},{"key":"e_1_3_2_2_9_1","unstructured":"2019. Google \/ Harris Poll - Online Security Survey. https:\/\/services.google.com\/fh\/files\/blogs\/google_security_infographic.pdf.  2019. Google \/ Harris Poll - Online Security Survey. https:\/\/services.google.com\/fh\/files\/blogs\/google_security_infographic.pdf."},{"key":"e_1_3_2_2_10_1","unstructured":"2020. https:\/\/securitytxt.org\/.  2020. https:\/\/securitytxt.org\/."},{"key":"e_1_3_2_2_11_1","unstructured":"2020. ChromeDriver - WebDriver for Chrome. https:\/\/sites.google.com\/a\/chromium.org\/chromedriver\/downloads.  2020. ChromeDriver - WebDriver for Chrome. https:\/\/sites.google.com\/a\/chromium.org\/chromedriver\/downloads."},{"key":"e_1_3_2_2_12_1","unstructured":"2020. The Chromium Projects - HTTP Strict Transport Security. https:\/\/www.chromium.org\/hsts.  2020. The Chromium Projects - HTTP Strict Transport Security. https:\/\/www.chromium.org\/hsts."},{"key":"e_1_3_2_2_13_1","unstructured":"2020. Geckodriver. https:\/\/github.com\/mozilla\/geckodriver.  2020. Geckodriver. https:\/\/github.com\/mozilla\/geckodriver."},{"key":"e_1_3_2_2_14_1","unstructured":"2020. McAfee - Customer URL Ticketing System. https:\/\/trustedsource.org\/en\/feedback\/url.  2020. McAfee - Customer URL Ticketing System. https:\/\/trustedsource.org\/en\/feedback\/url."},{"key":"e_1_3_2_2_15_1","unstructured":"2020. MDN Web Docs - Subresource Integrity. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Subresource_Integrity.  2020. MDN Web Docs - Subresource Integrity. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Subresource_Integrity."},{"key":"e_1_3_2_2_16_1","unstructured":"2020. Puppeteer. https:\/\/developers.google.com\/web\/tools\/puppeteer.  2020. Puppeteer. https:\/\/developers.google.com\/web\/tools\/puppeteer."},{"key":"e_1_3_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/1367497.1367568"},{"key":"e_1_3_2_2_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420952"},{"key":"e_1_3_2_2_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991091"},{"key":"e_1_3_2_2_20_1","volume-title":"NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications. In 27th USENIX Security Symposium (USENIX Security '18)","author":"Alhuzali Abeer","year":"2018"},{"key":"e_1_3_2_2_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1526709.1526784"},{"key":"e_1_3_2_2_22_1","volume-title":"11th USENIX Workshop on Offensive Technologies (WOOT 17)","author":"Bock Kevin","year":"2017"},{"key":"e_1_3_2_2_23_1","volume-title":"CookiExt: Patching the browser against session hijacking attacks. Journal of Computer Security","author":"Bugliesi Michele","year":"2015"},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2663716.2663749"},{"key":"e_1_3_2_2_25_1","volume-title":"Proceedings of the 25th International Conference on World Wide Web (WWW '16)","author":"Cahn Aaron"},{"key":"e_1_3_2_2_26_1","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Calzavara Stefano","year":"2018"},{"key":"e_1_3_2_2_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00053"},{"key":"e_1_3_2_2_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3038923"},{"key":"e_1_3_2_2_29_1","doi-asserted-by":"crossref","unstructured":"Stefano Calzavara Alvise Rabitti and Michele Bugliesi. 2018b. Sub-session hijacking on the web: Root causes and prevention. In Journal of Computer Security.  Stefano Calzavara Alvise Rabitti and Michele Bugliesi. 2018b. Sub-session hijacking on the web: Root causes and prevention. In Journal of Computer Security.","DOI":"10.3233\/JCS-181149"},{"key":"e_1_3_2_2_30_1","volume-title":"ESORICS","author":"Calzavara Stefano","year":"2019"},{"key":"e_1_3_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3366423.3380092"},{"key":"e_1_3_2_2_32_1","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Chen Jianjun","year":"2018"},{"key":"e_1_3_2_2_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/1920261.1920299"},{"key":"e_1_3_2_2_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/2220352.2220353"},{"key":"e_1_3_2_2_35_1","volume-title":"Proceedings of the 18th Conference on USENIX Security Symposium. USENIX Association, 267--282","author":"Dalton Michael","year":"2009"},{"key":"e_1_3_2_2_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3131365.3131391"},{"key":"e_1_3_2_2_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2017.2747598"},{"key":"e_1_3_2_2_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1180337.1180344"},{"key":"e_1_3_2_2_39_1","volume-title":"Presented as part of the 21st USENIX Security Symposium (USENIX Security 12)","author":"Doup\u00e9 Adam"},{"key":"e_1_3_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978313"},{"key":"e_1_3_2_2_41_1","volume-title":"Proceedings of the 24th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee.","author":"Englehardt Steven"},{"key":"e_1_3_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978385"},{"key":"e_1_3_2_2_43_1","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Franken Gertjan","year":"2018"},{"key":"e_1_3_2_2_44_1","volume-title":"An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web. In 27th USENIX Security Symposium (USENIX Security 18)","author":"Ghasemisharif Mohammad","year":"2018"},{"key":"e_1_3_2_2_45_1","doi-asserted-by":"publisher","DOI":"10.1007\/s13198-015-0376-0"},{"key":"e_1_3_2_2_46_1","volume-title":"Proceedings of the 2020 Workshop on Measurements, Attacks, and Defenses for the Web.","author":"Jonker B. Krumnow H."},{"key":"e_1_3_2_2_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.38"},{"key":"e_1_3_2_2_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866400"},{"key":"e_1_3_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313521"},{"key":"e_1_3_2_2_50_1","volume-title":"Fingerprint Surface-Based Detection of Web Bot Detectors. In European Symposium on Research in Computer Security. Springer, 586--605","author":"Jonker Hugo","year":"2019"},{"key":"e_1_3_2_2_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/3278532.3278568"},{"key":"e_1_3_2_2_52_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23162"},{"key":"e_1_3_2_2_53_1","volume-title":"26th USENIX Security Symposium (USENIX Security 17)","author":"Krombholz Katharina","year":"2017"},{"key":"e_1_3_2_2_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/1774088.1774480"},{"key":"e_1_3_2_2_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3038912.3052686"},{"key":"e_1_3_2_2_56_1","volume-title":"HTTPS: Cookie Theft by Removing Cookie Flags","author":"Kwon H.","year":"2019"},{"key":"e_1_3_2_2_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134091"},{"key":"e_1_3_2_2_58_1","volume-title":"Youtextquoterightve Got Vulnerability: Exploring Effective Vulnerability Notifications. In 25th USENIX Security Symposium (USENIX Security 16)","author":"Li Frank","year":"2016"},{"key":"e_1_3_2_2_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382267"},{"key":"e_1_3_2_2_60_1","volume-title":"New Tricks For Defeating SSL In Practice. BlackHat DC (Feb","author":"Marlinspike Moxie","year":"2009"},{"key":"e_1_3_2_2_61_1","volume-title":"SICHERHEIT 2018","author":"Marx Matthias","year":"2018"},{"key":"e_1_3_2_2_62_1","volume-title":"Quantifying Users' Beliefs about Software Updates. CoRR","author":"Mathur Arunesh","year":"2018"},{"key":"e_1_3_2_2_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/3178876.3186091"},{"key":"e_1_3_2_2_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897889"},{"key":"e_1_3_2_2_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382274"},{"key":"e_1_3_2_2_66_1","volume-title":"Engineering Secure Software and Systems, \u00dalfar Erlingsson","author":"Nikiforakis Nick"},{"key":"e_1_3_2_2_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/2987443.2987475"},{"key":"e_1_3_2_2_68_1","volume-title":"An analysis of various tools, methods and systems to generate fake accounts for social media","author":"Pathak Avanish","year":"2014"},{"key":"e_1_3_2_2_69_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133973"},{"key":"e_1_3_2_2_70_1","volume-title":"NEZHA: Efficient Domain-Independent Differential Testing. In 2017 IEEE Symposium on Security and Privacy (SP)","volume":"00","author":"Petsios T.","year":"2017"},{"key":"e_1_3_2_2_71_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2421008"},{"key":"e_1_3_2_2_72_1","volume-title":"2011 33rd International Conference on Software Engineering (ICSE). 261--270","author":"Ramasubbu N."},{"key":"e_1_3_2_2_73_1","unstructured":"Sebastian Roth Timothy Barron Stefano Calzavara Nick Nikiforakis and Ben Stock. 2020. Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies. In NDSS.  Sebastian Roth Timothy Barron Stefano Calzavara Nick Nikiforakis and Ben Stock. 2020. Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies. In NDSS."},{"key":"e_1_3_2_2_74_1","doi-asserted-by":"crossref","unstructured":"Quirin Scheitle Oliver Hohlfeld Julien Gamba Jonas Jelten Torsten Zimmermann Stephen D. Strowes and Narseo Vallina-Rodriguez. 2018. A Long Way to the Top: Significance Structure and Stability of Internet Top Lists. In IMC.  Quirin Scheitle Oliver Hohlfeld Julien Gamba Jonas Jelten Torsten Zimmermann Stephen D. Strowes and Narseo Vallina-Rodriguez. 2018. A Long Way to the Top: Significance Structure and Stability of Internet Top Lists. In IMC.","DOI":"10.1145\/3278532.3278574"},{"key":"e_1_3_2_2_75_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.35"},{"key":"e_1_3_2_2_76_1","doi-asserted-by":"publisher","DOI":"10.1145\/2994620.2994638"},{"key":"e_1_3_2_2_77_1","volume-title":"The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information. In In Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P '16)","author":"Sivakorn Suphannee"},{"key":"e_1_3_2_2_78_1","volume-title":"Studying Minified and Obfuscated Code in the Web. In The World Wide Web Conference. 1735--1746","author":"Skolka Philippe","year":"2019"},{"key":"e_1_3_2_2_79_1","doi-asserted-by":"publisher","DOI":"10.1145\/3131365.3131385"},{"key":"e_1_3_2_2_80_1","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140443"},{"key":"e_1_3_2_2_81_1","volume-title":"In Network and Distributed System Security Symposium (NDSS).","author":"Son Sooel","year":"2013"},{"key":"e_1_3_2_2_82_1","doi-asserted-by":"crossref","unstructured":"Marius Steffens Christian Rossow Martin Johns and Ben Stock. 2019. Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild.. In NDSS.  Marius Steffens Christian Rossow Martin Johns and Ben Stock. 2019. Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild.. In NDSS.","DOI":"10.14722\/ndss.2019.23009"},{"key":"e_1_3_2_2_83_1","volume-title":"How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In 26th USENIX Security Symposium (USENIX Security 17)","author":"Stock Ben","year":"2017"},{"key":"e_1_3_2_2_84_1","volume-title":"25th USENIX Security Symposium (USENIX Security 16)","author":"Stock Ben","year":"2016"},{"key":"e_1_3_2_2_85_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813625"},{"key":"e_1_3_2_2_86_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660321"},{"key":"e_1_3_2_2_87_1","volume-title":"2013 International Conference on Availability, Reliability and Security.","author":"Unger T."},{"key":"e_1_3_2_2_88_1","doi-asserted-by":"publisher","DOI":"10.1145\/2858036.2858303"},{"key":"e_1_3_2_2_89_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.30"},{"key":"e_1_3_2_2_90_1","volume-title":"Signing Me Onto Your Accounts Through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services. In 2012 IEEE Symposium on Security and Privacy (SP '12)","author":"Wang Rui","year":"2012"},{"key":"e_1_3_2_2_91_1","volume-title":"Out of the Loop: How Automated Software Updates Cause Unintended Security Consequences. In 10th Symposium On Usable Privacy and Security (SOUPS","author":"Wash Rick","year":"2014"},{"key":"e_1_3_2_2_92_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978363"},{"key":"e_1_3_2_2_93_1","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Yang Ronghai","year":"2018"},{"key":"e_1_3_2_2_94_1","volume-title":"Cookies Lack Integrity: Real-World Implications. In 24th USENIX Security Symposium (USENIX Security 15)","author":"Zheng Xiaofeng","year":"2015"},{"key":"e_1_3_2_2_95_1","volume-title":"Proceedings of 4th Web","volume":"2","author":"Zhou Yuchen","year":"2010"},{"key":"e_1_3_2_2_96_1","volume-title":"SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In 23rd USENIX Security Symposium (USENIX Security 14)","author":"Zhou Yuchen","year":"2014"},{"key":"e_1_3_2_2_97_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00009"},{"key":"e_1_3_2_2_98_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134089"}],"event":{"name":"CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event USA","acronym":"CCS '20","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3372297.3417869","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3372297.3417869","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:01:31Z","timestamp":1750197691000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3372297.3417869"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,10,30]]},"references-count":98,"alternative-id":["10.1145\/3372297.3417869","10.1145\/3372297"],"URL":"https:\/\/doi.org\/10.1145\/3372297.3417869","relation":{},"subject":[],"published":{"date-parts":[[2020,10,30]]},"assertion":[{"value":"2020-11-02","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}